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Members: 

Ailsa Beaton (chair) Non-Executive Director 

Roger Barlow Independent Audit Committee 
member 

Jane McCall Non-Executive Director 

Attendees: 

1CO 

Paul Arnold Deputy CEO 

Louise Byers Head of Risk and Governance 

Elizabeth Denham Information Commissioner 

Heather Dove Head of Finance 

Internal Auditors 

Phil Keown Grant Thornton 

Gary Stewart Mazars 

Graham Clarke Mazars 

External Auditors 

Matthew Atkinson National Audit Office 

David Eagles BDO (by telephone) 

Secretariat 

Peter Bloomfield Senior Corporate Governance Manager 

Caroline Robinson Corporate Governance Officer 


1. Introductions and apologies 
1.1. There were no apologies received. 


2. Declaration of interests 
2.1. There were no declarations of interest. 


3. Matters arising from the previous meeting 
3.1 The minutes were confirmed as being accurate. 


3.2 Peter Bloomfield advised the committee that all actions 
from the previous meeting had been cleared. 


4. Commissioner’s update 


4.1. Elizabeth Denham updated the Committee on matters 
affecting the ICO including the ongoing pay negotiations, the 
laying of the regulations for the new funding regime under 
GDPR, and passage of the Data Protection Bill through 
Parliament. In addition the ICO had been involved in a high 
profile investigation which was still being progressed. 


4.2. It was confirmed that the revised Management 
Agreement between the ICO and DCMS would be in place 
shortly. 


5. Risk and opportunity register 


5.1. Louise Byers introduced a revised risk and opportunity 
register, and advised the Committee of the main changes. It 
was confirmed that the register was regularly reviewed by 
the Steering Groups and Senior Leadership Team. 


5.2. The Committee questioned the risks linked to GDPR 
preparation. It was considered that GDPR preparation had 
gone well and the ICO was well prepared for implementation 
in May. It was also confirmed that the scoring of risks on the 
register took account of mitigating actions, ie scores were net 
rather than gross. 


5:3: Ailsa Beaton proposed that the Audit Committee should 
review the detailed risk and opportunity register annually. 


Action Point 1: Peter Bloomfield to explore the best 
time for an annual review of the risk and opportunity 
register by the Audit Committee and to ensure it was 
included in the Committee’s annual timetable. 


6. Outstanding audit recommendations 


6.1. Peter Bloomfield introduced the register of outstanding 
audit recommendations. The recommendations made in 
internal audit reports coming to this meeting had been 
included, and some had already been cleared. There were no 
late recommendations. 


6.2. The Audit Committee was pleased to note the good 
overall progress on delivering recommendations, but 


encouraged management to proactively discuss and agree 
recommendations and timings with the Internal Auditors 
before audit reports are finalised. There needed to be clarity 
as to whether a recommendation was accepted and when it 
was cleared. 


6.3. The Committee agreed to clear the outstanding action 
on the submission of legal packs as the courts the ICO 
worked with did not currently use such packs. 


6.4. In respect of the recommendation in the Corporate 
Governance and Risk review for Management Board to 
consider the need for a Remuneration Committee, there were 
concerns about the timescale for this to happen. To help 
demonstrate good governance, Committee members thought 
the deadline ought to be brought forward. 


6.5. Paul Arnold would review the deadline and report back 
to the next Audit Committee on the date a decision was 
expected to be made on the setting up of a Remuneration 
Committee. 


Action point 2: Paul Arnold to review the deadline for 
clearance of the Corporate Governance Review 
recommendation and report back to the next 
Committee meeting (in J une) on the expected date. 


7. Internal audit 


7.1. Grant Thornton presented the completed internal audit 
reports. 

Data protection law reform follow-up review 

7.2. Grant Thornton confirmed that findings in the original 


review had all been completed. There was a new 
recommendation on project progress reporting, based on a 
general lessons learnt approach given the closeness of GDPR 
implementation. 


Corporate Governance review 


1:3: This review had looked at overall corporate governance 
arrangements. A clear report had been given with one 
recommendation on consideration of the need for a 
Remuneration Committee (see above). 


IT supplier contract management review 


7.4. The focus of this review was on the major elements a 
contract with an IT supplier should have. Again this was a 
clear review with minor recommendations about tightening 
procedures. 


Expenses review 


75. It was confirmed that the ICO was compliant with HMRC 
rules in respect of its expenses policy and procedure. 
Recommendations related to monitoring and recording any 
divergence from the policy. 


7.6. Ailsa Beaton asked if management were going to 
formally respond to the reporting. Given the low risk 
associated with the recommendations the position was to be 
monitored rather than changes made to the process. 


Action point 3: Heather Dove to amend the response to 
the recommendation to clarify the position. 


Follow-up review 


7.7. The process in place to follow up and clear audit 
recommendations was working with evidence to support the 
clearing of the audit recommendations considered. 


Internal audit annual report 2017/18 


7.8. Grant Thornton introduced the draft internal audit 
annual report for 2017/18. The opinion covering risk 
management, corporate governance and internal controls (on 
both the design effectiveness and operation effectiveness) 
was clean. 


Action point 4: Phil Keown to amend the report to 
“final” and to provide the I CO with the amended 
version. 


7.9. Ailsa Beaton thanked Grant Thornton for the all their 
efforts over the years and asked that the thanks be passed 
on to those conducting the audits. 


8. External audit 


8.1. David Eagles confirmed that the final audit visit will take 
place shortly. They did not expect any issues to arise and the 
risk assessment has not changed from that previously 
presented. 


8.2. Ailsa Beaton mentioned that is had been helpful for the 
Finance Department to raise possible issues in advance with 
the external auditors. 


8.3. The Committee thanked the Finance Department for 
their work on the accounts and in clearing issues raised. 
9. Annual Report and Accounts 


9.1. Heather Dove confirmed that year end expenditure was 
within the 1% limit agreed with DCMS. 


9.2. Looking forward to 2018/19 on of the challenges for the 
coming year will be the funding for high profile investigations. 


9.3. The annual audit report was brought to the committee 
for information and any comments. 


Action Point 4: Ailsa Beaton to provide Peter 
Bloomfield with wording for the Accountability Section 
of the Annual Report on links with DCMS ALB Audit 
Committee chairs. 


10. Fraud, whistleblowing and security 


10.1. Peter Bloomfield ran through the Quarterly report on 
security incidents. There were three incidents that were rated 
medium. All other incidents were rated low. 


10.2. Paul Arnold confirmed that incidents were investigated 
with lessons learnt formally recorded and disseminated. The 
Committee discussed the value in the lessons learnt being 
added to the report. It was agreed that it would be beneficial 
to the Committee. 


Action Point 5: Louise Byers and Peter Bloomfield to 
consider how best to add lessons learnt to the report. 


11. NAO Guidance 


11.1. The half yearly NAO update for Audit Committees was 
circulated for information. 


12.Any other urgent business 
12.1. There was no any other urgent business. 


13. Internal Audit Strategy 2018/ 19 to 2020/21 


13.1. The internal audit strategy was presented by the newly 
appointed internal auditors, Mazars. They noted that the 
strategy had been developed in detailed conversations with 
ICO management based on the risk register and other 
corporate documentation. And that given the rapidly 
changing environment the ICO was currently subject to the 
strategy would be reviewed at least annually. 


13.2. It was clarified that the financial planning audit was 
required as the ICO was rapidly increasing in size and there 
was a need to ensure the systems were valid for a larger 
organisation. 


13.3. It was confirmed that Mazars should meet formally with 
the Commissioner. 


Action point 6: Peter Bloomfield to set up a meeting 
between the Commissioner and Mazars in the near 
future. 


13.4. The committee approved the plan. 


